-1

I have gotten the task of setting up a network where there is an existing gateway for my "public ip" 10.200.3.2/28 already. I am to setup a gw/dhcp which uses the existing gateway the given ip address on one vlan interface (eth0.2) and uses NAT to get traffic out from 172.16.0.0/25 to the internet and back masquaraded.

I first tried setting up a simple NAT like this:

*nat
:POSTROUTING ACCEPT [0:0]

#Forward traffic through eth0.2
-A POSTROUTING -s 172.16.0.0/25 -o eth0.2 -j MASQUERADE
-A POSTROUTING -s 172.16.1.0/25 -o eth0.2 -j MASQUERADE

and then set up BIND9 on a second machine with only the internal ips (forward and backward), using no views or acl. This worked and I was able to resolve. I then proceeded to end up at the point I am now. I am not able to resolve with ping or nslookup, and when I try with for example "www.example.com" I get this:

user@ns:~$ nslookup www.example.com
;; communications error to 172.16.0.2#53: timed out
;; Got SERVFAIL reply from 172.16.0.2, trying next server
;; communications error to 10.250.0.5#53: timed out
;; communications error to 10.250.0.5#53: timed out
;; no servers could be reached

status shows this:

Nov 24 22:23:46 ns.bedrift3.d3-101.usn named[2232]: network unreachable resolving 'ntp.ubuntu.com/AAAA/IN': 10.250.0.5#53
Nov 24 22:28:55 ns.example.com named[2232]: listening on IPv4 interface eno1, 172.16.0.2#53
Nov 24 22:57:08 ns.example.com named[2232]: managed-keys-zone/public: Unable to fetch DNSKEY set '.': timed out
Nov 24 22:57:08 ns.example.com named[2232]: managed-keys-zone/private: Unable to fetch DNSKEY set '.': timed out
Nov 24 23:14:05 ns.example.com named[2232]: managed-keys-zone/private: Unable to fetch DNSKEY set '.': timed out
Nov 24 23:14:05 ns.example.com named[2232]: managed-keys-zone/public: Unable to fetch DNSKEY set '.': timed out

I am quite new in this field and feel as if I have tried to the best of my ability, so any feedback would be greatly appriciated.

Both machines are on ubuntu 22.04 LTS Server

Everything GW DHCP (172.16.0.1) Is able to resolve from gw (really slow for some reason)

user@gw:~$ ping google.com
PING google.com (172.217.21.174) 56(84) bytes of data.
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=1 ttl=52 time=10.5 ms
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=2 ttl=52 time=10.3 ms
64 bytes from arn11s03-in-f14.1e100.net (172.217.21.174): icmp_seq=3 ttl=52 time=10.3 ms
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=4 ttl=52 time=10.6 ms

user@gw:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
    inet 169.254.245.151/16 brd 169.254.255.255 scope link noprefixroute eth0
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether dc:a6:32:44:a2:1a brd ff:ff:ff:ff:ff:ff
4: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
    inet 10.200.3.2/28 brd 10.200.3.15 scope global noprefixroute eth0.2
       valid_lft forever preferred_lft forever
5: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.1/25 brd 172.16.0.127 scope global noprefixroute eth0.30
       valid_lft forever preferred_lft forever

user@gw:~$ ip r
default via 10.200.3.1 dev eth0.2 proto static metric 401
10.200.3.0/28 dev eth0.2 proto kernel scope link src 10.200.3.2 metric 401
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.245.151 metric 100
172.16.0.0/25 dev eth0.30 proto kernel scope link src 172.16.0.1 metric 400
224.0.0.0/4 dev eth0 proto static scope link metric 100

/etc/ufw/before.rules

# nat Table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

#Forward traffic through eth0.2
-A POSTROUTING -s 172.16.0.0/25 -o eth0.2 -j MASQUERADE
-A POSTROUTING -s 172.16.1.0/25 -o eth0.2 -j MASQUERADE

#Port forwarding
-A PREROUTING -i eth0.30 -p tcp --dport 25 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 25 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 53 -j DNAT --to-destination 172.16.0.2
-A PREROUTING -i eth0.30 -p udp --dport 53 -j DNAT --to-destination 172.16.0.2
-A PREROUTING -i eth0.30 -p tcp --dport 80 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 80 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 110 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 110 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 143 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 143 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 443 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 443 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 1433 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 1433 -j DNAT --to-destination 172.16.0.3

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

dhcpd.conf

option domain-name "example.com";
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;

subnet 172.16.0.0 netmask 255.255.255.128 {
        option domain-name-servers 172.16.0.2, 10.250.0.5, 8.8.8.8;
        option routers 172.16.0.1;
        option broadcast-address 172.16.0.127;
}

host DNS {
        hardware ethernet 18:03:73:28:00:35;
        fixed-address 172.16.0.2;
}

host webserver {
        hardware ethernet 00:25:64:E6:FD:CF;
        fixed-address 172.16.0.3;
}

host safe-dhcp {
        hardware ethernet DC:A6:32:44:A2:58;
        fixed-address 172.16.0.4;
}

Everything ns (172.16.0.2)

user@ns:~$ ping google.com
ping: google.com: Temporary failure in name resolution

user@ns:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 18:03:73:28:00:35 brd ff:ff:ff:ff:ff:ff
    altname enp0s25
    inet 172.16.0.2/25 brd 172.16.0.127 scope global dynamic noprefixroute eno1
       valid_lft 509sec preferred_lft 509sec
    inet6 fe80::1a03:73ff:fe28:35/64 scope link
       valid_lft forever preferred_lft forever
user@ns:~$ ip r
default via 172.16.0.1 dev eno1 proto dhcp metric 100
172.16.0.0/25 dev eno1 proto kernel scope link src 172.16.0.2 metric 100

DNS files

/etc/bind/named.conf.options 10.150.0.5 is a dns server which is tested to work on the lab.

options {
        listen-on port 53 { localhost; 172.16.0.2; };
        directory "/var/cache/bind";
        allow-query { any; };
        allow-transfer { any; };
        forwarders { 10.250.0.5; };
        forward only;
};

acl private { localhost; 172.16.0.0/25; 172.16.1.0/25; };

acl public { 10.100.7.0/24; 10.250.0.0/16; };

/etc/bind/named.conf.local

view private {
        match-clients { private; };

        zone "." {
                type hint;
                file "/usr/share/dns/root.hints";
        };

        zone "example.com" IN {
                type master;
                file "/etc/bind/db.example.com";
                allow-update { none; };
        };

        zone "3.200.10.in-addr.arpa" IN {
                type master;
                file "/etc/bind/db.10.200.3";
                allow-update { none; };
        };
};

view public {
        match-clients { public; };

        zone "example.com" IN {
                type master;
                file "/etc/bind/db.public.example.com";
                allow-update { none; };
        };

        zone "0.16.172.in-addr.arpa" IN {
                type master;
                file "/etc/bind/db.172.16.0";
                allow-update { none; };
        };
};

/etc/bind/db.example.com

$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)

@       IN      NS      dns-example.com.

gw      IN      A       172.16.0.1
ns      IN      A       172.16.0.2
www     IN      A       172.16.0.3
mail    IN      A       172.16.0.3
safe    IN      A       172.16.0.4
@       IN      MX      10      mail

/etc/bind/db.public.example.com

$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)

@       IN      NS      dns-example.com.

gw      IN      A       10.200.3.1
ns      IN      A       10.200.3.2
www     IN      A       10.200.3.2
mail    IN      A       10.200.3.2
safe    IN      A       10.200.3.2
@       IN      MX      10      mail

/etc/bind/db.10.200.3

$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)

@       IN      NS      dns-example.com.

1       IN      PTR     gw.example.com.
2       IN      PTR     ns.example.com.
3       IN      PTR     www.example.com.
3       IN      PTR     mail.example.com.
4       IN      PTR     safe.example.com.

/etc/bind/db.172.16.0

$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)

@       IN      NS      dns-example.com.

1       IN      PTR     gw.example.com.
2       IN      PTR     ns.example.com.
3       IN      PTR     www.example.com.
3       IN      PTR     mail.example.com.
4       IN      PTR     safe.example.com.
Improve this question
1
  • Small update, I changed the etc/resolv.conf to say: nameserver 10.250.0.5 not: nameserver 172.16.0.2 nameserver 10.250.0.5 and it is now resolving to google.com a lot faster. It does not seem to have solved anything else, but a little progress atleast.
    – Danders
    Nov 25 at 18:33

1 Answer 1

Reset to default
1

It seems like your dns server is not reachable on 10.150.0.5, because you forward everything to 172.16.0.2.

You could try to change your iptables rules for dns forward to something like this

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 10.150.0.5

I'm not sure if that will work because with all the config files your setup confuses me a bit.

Improve this answer
2
  • I'll try to elaborate a bit more. the lab I am setup in has a gateway setup spesifically for my subnet at 10.200.3.1. This same lab has a DNS which is used for getting access to the internet on 10.250.0.5. My subnet has its own gw with my dhcp for subnet 172.16.0.0/25. This subnet has its own DNS on 172.16.0.2 which I want things to be resolved on internally if there is a listing for it. If not I want it to be forwarded by the same DNS to the DNS on the lab network. Does that clear things up or is there something else that seems confusing @Turdie ?
    – Danders
    Nov 25 at 18:28
  • As I said you are not forwarding anything to your dns in your current iptables/ufw rules, try to figure that out
    – Turdie
    Nov 25 at 20:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .